Hello, We have problems getting SecuRemote clients getting connected to a couple of Sofaware boxes, they are located behind ADSL services and the issue is the ISP insists they will put the public IP on the ADSL router and not give it away to be put in the firewalls. They were told this was going to be used for VPN connectivity, so they said that created a static NAT on the ADSL routers to have a one-to-one relationship between the public IP and the external IP of the firewalls, but we still have problems.
SecuRemote will get in touch with the Sofas and create the site, but then when we try to connect, it fails with "gateway not responding" error, the logs in the Sofas show IKE phase 1 completed and user authentication both successfully, but then nothing else. We did a test creating a site-to.siteVPN between two of these boxes and it works perfect, so the issue is only with Remote Access connections. The only difference I see between Remote Access and Site-to.site VPNs in the Sofa logs is that when doing the first, it says NAT-T: turned off, while doing the second it says NAT-T:turned on. The problem has all the symptoms of a problem with dynamic NAT, where no traffic different from UDP or TCP is able to go through, which is solved by using NAT-T, but the ISP insists this is no dynamic NAT, but instead static one (which off course we cannot confirm as only they have access to the damn ADSL router). So I'm thinking if NAT-T could be turned on for these Remote Access connections, the issue should disappear but I checked the Advanced configuration on the SecuRemote side and it in fact says NAT -T should be used and the "force UDP encapsulation" and "IKE over TCP" options are checked. On the Sofa side I see no settings related with this. We tested this with two different boxes behind similar ADSL setups of the same ISP, one was a VPN-1 Edge, the other a [EMAIL PROTECTED] and we have the latest versions of firmware on them as well as the latest version of SecuRemote recently downloaded from the CP site. Does anybody have an idea on how to solve this one. Thanks in advance for any help. Regards -- Sergio Alvarez (506)8301342 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
